From e4195230a5e57b2f3f87a33c7ef9a740d7990ee4 Mon Sep 17 00:00:00 2001 From: m3tm3re Date: Mon, 2 Mar 2026 19:24:28 +0100 Subject: [PATCH] chore: fix netbird ssh --- flake.lock | 34 ++++++++++++++-------------- hosts/common/users/m3tam3re.nix | 1 + hosts/m3-ares/services/default.nix | 15 +++++++++++- hosts/m3-ares/services/netbird.nix | 29 ++++++++++++++++++++++++ hosts/m3-atlas/services/netbird.nix | 27 +++++++++++++++++++++- hosts/m3-kratos/services/netbird.nix | 29 +++++++++++++++++++++++- 6 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 hosts/m3-ares/services/netbird.nix diff --git a/flake.lock b/flake.lock index 27c44d9..7603443 100644 --- a/flake.lock +++ b/flake.lock @@ -246,11 +246,11 @@ "openspec": "openspec" }, "locked": { - "lastModified": 1772041931, - "narHash": "sha256-NQOQrGtR1EXM33JSVUt5Sz5MburSxWU7t9iZrJk9gQo=", + "lastModified": 1772460048, + "narHash": "sha256-qN2a0yrXZplR0z98ZVgWNSwh3hbR600KSJmgHLegjcg=", "ref": "refs/heads/master", - "rev": "e22774539ac26071b1bc0e6e8272df3c3ec732f2", - "revCount": 132, + "rev": "be401c2ebbf336cb6b443a1e9bbee3adb4c58d13", + "revCount": 141, "type": "git", "url": "https://code.m3ta.dev/m3tam3re/nixpkgs" }, @@ -393,11 +393,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1771574031, - "narHash": "sha256-yKeO6auxI8PrBZOdt/LVRDm+bh939E60l4iZKo1ExeA=", + "lastModified": 1772459199, + "narHash": "sha256-bwbGxsckrQDHihUGkb9Bw9+6RnpPOZ1Uo6h+Dp94Th4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ab43bb60c7d266a4a285e863d89c1e69cd124dd5", + "rev": "f88889dd2451655660dde8700eae20f93a789355", "type": "github" }, "original": { @@ -457,11 +457,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1771369470, - "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=", + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0182a361324364ae3f436a63005877674cf45efb", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", "type": "github" }, "original": { @@ -548,16 +548,16 @@ ] }, "locked": { - "lastModified": 1772031356, - "narHash": "sha256-PA3/P5nUDlrKD6xjDXFoNNF8U2Wzz2JeeY4H+CzWWgY=", + "lastModified": 1772094145, + "narHash": "sha256-26MV9TbyAF0KFqZtIHPYu6wqJwf0pNPdW/D3gDQEUlQ=", "owner": "anomalyco", "repo": "opencode", - "rev": "de2bc25677b419d2af0da8b6a24a05d3f22b67a8", + "rev": "799b2623cbb1c0f19e045d87c2c8593e83678bc0", "type": "github" }, "original": { "owner": "anomalyco", - "ref": "v1.2.14", + "ref": "v1.2.15", "repo": "opencode", "type": "github" } @@ -570,11 +570,11 @@ ] }, "locked": { - "lastModified": 1771554066, - "narHash": "sha256-nQPz81Um+4zhEeNz1o55Ix1DoBEM3CxeABAmOJkgIac=", + "lastModified": 1772182342, + "narHash": "sha256-9Q0iUyZGcDPLdgvnrBN3GumV8g9akV8TFb8bFkD1yYs=", "owner": "Fission-AI", "repo": "OpenSpec", - "rev": "4ba26902dfecf6f54c5a729993e012a57f4e2877", + "rev": "afdca0d5dab1aa109cfd8848b2512333ccad60c3", "type": "github" }, "original": { diff --git a/hosts/common/users/m3tam3re.nix b/hosts/common/users/m3tam3re.nix index e150cde..ae367e9 100644 --- a/hosts/common/users/m3tam3re.nix +++ b/hosts/common/users/m3tam3re.nix @@ -24,6 +24,7 @@ ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZcjCKl0DRuOUOMXbM0GKY5JjvmyFpVZ/tRlTKWu/zp razr" ]; packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default]; }; diff --git a/hosts/m3-ares/services/default.nix b/hosts/m3-ares/services/default.nix index 8b9d241..5839b7a 100644 --- a/hosts/m3-ares/services/default.nix +++ b/hosts/m3-ares/services/default.nix @@ -1,6 +1,7 @@ -{ +{pkgs, ...}: { imports = [ ./containers + ./netbird.nix #./n8n.nix ./mem0.nix ./postgres.nix @@ -9,8 +10,20 @@ ./udev.nix ./wireguard.nix ]; + # console.useXkbConfig = true; + + # services.xserver.xkb = { + # layout = "de,us"; + # options = "ctrl:nocaps"; + # }; + + # optional, falls du auch die TTY-Konsole deutsch willst: services = { hypridle.enable = true; + espanso = { + enable = true; + package = pkgs.espanso-wayland; + }; printing.enable = true; gvfs.enable = true; trezord.enable = true; diff --git a/hosts/m3-ares/services/netbird.nix b/hosts/m3-ares/services/netbird.nix new file mode 100644 index 0000000..bed5199 --- /dev/null +++ b/hosts/m3-ares/services/netbird.nix @@ -0,0 +1,29 @@ +{pkgs, ...}: { + services.netbird.enable = true; + environment.systemPackages = with pkgs; [netbird-ui]; + + systemd.services.netbird = { + environment = { + NB_DISABLE_SSH_CONFIG = "true"; + }; + path = [ + pkgs.shadow + pkgs.util-linux + ]; + }; + + programs.ssh.extraConfig = '' + Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p" + PreferredAuthentications password,publickey,keyboard-interactive + PasswordAuthentication yes + PubkeyAuthentication yes + BatchMode no + ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + CheckHostIP no + LogLevel ERROR + ''; + + networking.firewall.checkReversePath = "loose"; +} diff --git a/hosts/m3-atlas/services/netbird.nix b/hosts/m3-atlas/services/netbird.nix index 580d4fa..10cc079 100644 --- a/hosts/m3-atlas/services/netbird.nix +++ b/hosts/m3-atlas/services/netbird.nix @@ -1,3 +1,28 @@ -{ +{pkgs, ...}: { services.netbird.enable = true; + + systemd.services.netbird = { + environment = { + NB_DISABLE_SSH_CONFIG = "true"; + }; + path = [ + pkgs.shadow + pkgs.util-linux + ]; + }; + + programs.ssh.extraConfig = '' + Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p" + PreferredAuthentications password,publickey,keyboard-interactive + PasswordAuthentication yes + PubkeyAuthentication yes + BatchMode no + ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + CheckHostIP no + LogLevel ERROR + ''; + + networking.firewall.checkReversePath = "loose"; } diff --git a/hosts/m3-kratos/services/netbird.nix b/hosts/m3-kratos/services/netbird.nix index 8a73d6e..13e25a2 100644 --- a/hosts/m3-kratos/services/netbird.nix +++ b/hosts/m3-kratos/services/netbird.nix @@ -1,5 +1,32 @@ {pkgs, ...}: { services.netbird.enable = true; - environment.systemPackages = [pkgs.netbird-ui]; + environment.systemPackages = with pkgs; [netbird-ui]; + + systemd.services.netbird = { + environment = { + NB_DISABLE_SSH_CONFIG = "true"; + }; + path = [ + pkgs.shadow # login + pkgs.util-linux # runuser + ]; + }; + + # Symlink kannst du jetzt ENTFERNEN – nicht mehr nötig! + # system.activationScripts.netbird-login-link = ... # LÖSCHEN + + programs.ssh.extraConfig = '' + Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p" + PreferredAuthentications password,publickey,keyboard-interactive + PasswordAuthentication yes + PubkeyAuthentication yes + BatchMode no + ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + CheckHostIP no + LogLevel ERROR + ''; + networking.firewall.checkReversePath = "loose"; }